Monster grapples with data-breach fallout

After reporting a significant loss of client data from its database two weeks ago, online job site Monster.com is taking extensive measures to reassure customers of the site's security.

After client names, telephone numbers, addresses and personal e-mails were downloaded from the site's database, Monster began contacting customers. An e-mail sent out to all Monster.com users - not just those whose data was stolen - began, "Protecting the job seekers who use our Web site is a top priorityà" and went on to explain the job site's beefed-up security measures.

Those who had had information downloaded illegally are being individually notified by Monster, but the company admits being uncertain exactly how many users were affected by the leak. CEO of Monster Sal Iannuzzi lately revealed to Reuters that the number of users affected could actually be millions more than the 1.3 million originally projected.

"We don't know for sure. Despite ongoing analysis, the scope of the illegal activity is impossible to pinpoint," Kathryn Burns, spokeswoman for Monster, said in an e-mail interview with DM News.

"The consequences for the company may be very serious if job seekers walk away thinking that Monster can't be trusted," said Robert Gellman, a privacy and information policy consultant based in Washington and DM News columnist.

"And the trial lawyers have yet to be heard from," he continued "I anticipate a rash of class-action lawsuits. Anyone who ended up as a victim of identity theft as a result of the security breach may be able to claim significant damages from Monster, and the costs could be noticeable to Monster's bottom line."

Although Monster would, legally, be able to prosecute the data thieves, Gellman noted that catching online criminals, particularly those located overseas as Monster's appear to be, is close to impossible.

Monster's main priority now seems to be regaining and maintaining clients' trust. When explaining the measures taken after the leak, Burns added, "We believe these actions are one of the reasons why job seekers continue to place their trust with Monster. Job seekers have confirmed this by posting their resumes at rates as high as before the situation started."

Burns emphasized the Monster security site at help.monster.com/besafe, and other actions taken by the company, and said keeping customer relations the main focus.

Other steps taken by Monster in the security backlash include posting a link on the company's homepage. The link admits to the leak and directs users to a site with fraud protection tips. The company may also require employers to create more complicated passwords in the future.

Monster also has added executive level staff to its Web Site Security Task Force. The Task Force will now report directly to the chairman and CEO of the company. Security experts with experience at global Internet companies also have been brought in.

The company openly admits that the leak was not an isolated incident. Its large database - its site boasts of being "the Web's largest resume database" and holds more than 25 million resumes - makes it a prime target for information thieves.

Some experts doubt whether Monster should have returned to business so soon.

Gellman weighed in, "Leaks like this can always be prevented. If a company cannot provide security when collecting so much sensitive personal information from so many people, it should close down entirely until it can. [Monster] should close down until it can offer independently verified guarantees that its operations are secure."

He pointed out that other companies that have had security breaches have offered free credit monitoring to victims and suggested that tack could be "an appropriate remedy."

"I think that Monster will be hurt, and other job sites will as well," Gellman said. "But lots of people don't read their e-mail, so the notice from Monster may not be read - especially coming at the end of August."

Information from job seekers was downloaded to a remote server in the Ukraine. Monster security said the break-in was made using legitimate employer log-in names and passwords and was therefore not a case of hacking.

The Monster site does not generally collect "high-risk" information such as Social Security numbers or credit card information. However, the information gleaned can be used to create spam e-mail and other pesky intrusions on users' lives.

One security concern, expressed at length on the Monster site and in e-mails sent to clients, was that information would be used to create "phishing" e-mails. Phishing messages look like they were sent from a legitimate address but are actually fakes intended to get recipients' personal information, such as bank account numbers.

In an instance reported by the BBC, some e-mails offering a Monster Job Seeker download were sent to Monster users after the leak. The program download was actually an encryption device that demanded the victims pay a ransom for decryption.

"It is sad to say that security breaches are a dime a dozen these days," said Gellman. "I suspect that virtually everyone has been the victim of a security breach, whether they know it or not."